nixos/middleman: Working Matrix

nixos/boxes/colony/vms/estuary/default.nix

@@ -154,6 +154,10 @@
                       port = "https";
                       dst = allAssignments.middleman.internal.ipv4.address + ":https";
                     }
+                    {
+                      port = 8448;
+                      dst = allAssignments.middleman.internal.ipv4.address + ":8448";
+                    }
                   ];
                 };
                 extraRules =
@@ -170,7 +174,7 @@
                       # Safe enough to allow all SSH
                       tcp dport ssh accept
 
-                      ${matchInet "tcp dport { http, https } accept" "middleman"}
+                      ${matchInet "tcp dport { http, https, 8448 } accept" "middleman"}
 
                       return
                     }

nixos/boxes/colony/vms/shill/containers/chatterbox.nix

@@ -58,6 +58,8 @@
 
                 listeners = [
                   {
+                    # Covers both IPv4 and IPv6
+                    bind_addresses = [ "::" ];
                     port = 8008;
                     type = "http";
                     tls = false;
@@ -70,8 +72,8 @@
                     ];
                   }
                   {
-                    port = 9000;
                     bind_addresses = [ "127.0.0.1" "::1" ];
+                    port = 9000;
                     type = "manhole";
 
                     # The NixOS module has defaults for these that we need to override since they don't make sense here

nixos/boxes/colony/vms/shill/containers/middleman/default.nix

@@ -49,7 +49,7 @@
             };
 
             firewall = {
-              tcp.allowed = [ "http" "https" ];
+              tcp.allowed = [ "http" "https" 8448 ];
             };
           };
 

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -1,7 +1,37 @@
 { lib, pkgs, config, ... }:
 let
-  inherit (builtins) mapAttrs;
-  inherit (lib) mkMerge mkDefault genAttrs;
+  inherit (builtins) mapAttrs toJSON;
+  inherit (lib) mkMerge mkDefault genAttrs flatten;
+
+  dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
+  dualStackListen = ll: flatten (map dualStackListen' ll);
+
+  mkWellKnown = type: content: pkgs.writeTextFile {
+    name = "well-known-${type}";
+    destination = "/${type}";
+    text = content;
+  };
+  wellKnownRoot = pkgs.symlinkJoin {
+    name = "http-wellknown";
+    paths = [
+      # For federation
+      (mkWellKnown "matrix/server" (toJSON {
+        "m.server" = "matrix.nul.ie:443";
+      }))
+      # For clients
+      (mkWellKnown "matrix/client" (toJSON {
+        "m.homeserver".base_url = "https://matrix.nul.ie";
+      }))
+    ];
+  };
+  wellKnown = {
+    "/.well-known/" = {
+      alias = "${wellKnownRoot}/";
+      extraConfig = ''
+        autoindex on;
+      '';
+    };
+  };
 in
 {
   services.nginx.virtualHosts =
@@ -11,6 +41,10 @@ in
         default = true;
         forceSSL = true;
         onlySSL = false;
+        locations = mkMerge [
+          { }
+          wellKnown
+        ];
       };
 
       "pass.nul.ie" =
@@ -30,9 +64,28 @@ in
       };
 
       "matrix.nul.ie" = {
-        globalRedirect = "element.nul.ie";
+        listen = dualStackListen [
+          {
+            port = 443;
+            ssl = true;
+          }
+          {
+            # Matrix federation
+            port = 8448;
+            ssl = true;
+            extraParameters = [ "default_server" ];
+          }
+        ];
+        locations = mkMerge [
+          {
+            "/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
+            "= /".return = "301 https://element.nul.ie";
+          }
+          wellKnown
+        ];
         useACMEHost = lib.my.pubDomain;
       };
+
       "element.nul.ie" =
       let
         headers = ''